The Office of the Comptroller of the Currency (“OCC”) recently issued its Semiannual Risk Perspective. The OCC identified cybersecurity as a key operational risk, pointing to the increasing speed and sophistication of cybersecurity threats, which can target the theft of personally identifiable information, intellectual property, and bank funds.

The Semiannual Risk Perspective identifies two specific kinds of risks—phishing and the use of unpatched or unsupported software and hardware by banks and their service providers. Phishing, which uses deceptive tactics to encourage people into opening files or clicking on links, can allow cybercriminals to insert malware onto networks. Once the malware is in place, the hackers can use it to load other kinds of malware or ransomware, access confidential information, conduct espionage, or gain control of internal banking platforms to use them to make fraudulent payments. Continuing to use software or hardware that is out-of-date or unsupported can also introduce vulnerabilities that lead to other data breaches.

The report also emphasizes that if a cybersecurity breach does occur, it is necessary to have a well-established and tested incident response plan in place. Bank management should clearly designate appropriate personnel for key response mechanisms, which include public affairs, operations, legal, service providers, law enforcement, and other government entities.

Finally, the report stresses that a comprehensive cybersecurity program must take into account the bank’s reliance on third parties. Service providers that have remote access or are responsible for system management are increasingly likely to be targeted. The report observes that many of the large cybersecurity breaches that have occurred over the course of the past year have been the result of cybercriminals gaining access to bank data through third parties.

The OCC’s report reaffirms that cybersecurity continues to be one of the most significant risks faced by financial institutions today.

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

Francesco De Biasi’s practice primarily focuses on private enforcement and internal investigations of corporate wrongdoing, with a focus on the requirements under Legislative Decree 231/2001, as well as on corporate, civil, labor law and data protection matters related to white collar crimes.